Search here...
Politics & Government

Attorney General James Secures $200,000 from Law Firm for Failing to Protect New Yorkers’ Personal Data

NYS Attorney Generals Office

HPMB Law Firm Failed to Implement Data Security Measures
to Protect New Yorkers’ Health Information from Data Breaches

NEW YORK – New York Attorney General Letitia James secured $200,000 from the law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB) for failing to protect New Yorkers’ personal and healthcare data. HPMB’s poor data security measures made it vulnerable to a 2021 data breach that compromised the private information of approximately 114,000 patients, including more than 60,000 New Yorkers. The law firm represents New York City area hospitals and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information. HPMB’s data security failures violated not only state law, but also HIPAA, which required HPMB to adhere to certain advanced data security practices. As a result of the agreement, HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information. 

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

In November 2021, an attacker was able to exploit a vulnerability in HPMB’s Microsoft Exchange email server to gain access to HPMB’s systems. Patches for this vulnerability had been released by Microsoft several months earlier, but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation. In December 2021, an attacker deployed malware on HPMB’s systems which resulted in a disruption in HPMB’s email system. In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from HPMB’s systems. An analysis of these files determined that electronic health information and/or private information — including names, dates of birth, social security numbers, and/or health data — of 114,979 individuals, including 61,438 New York residents, had likely been exposed as a result of the attack. 

In May 2022, HPMB began notifying affected consumers whose personal information was compromised during the incident. The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas. In particular, HPMB failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospital, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices. 

As a result of today’s agreement, HPMB must pay the state $200,000 in penalties. HPMB is also required to adopt measures to better protect the personal and private health information of its clients’ patients going forward, including:

  • Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
  • Encrypting the private and health information it collects, uses, stores, and maintains;
  • Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
  • Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
  • Developing a penetration testing program that includes regular testing of HPMB’s network security; and,
  • Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.

This matter was handled by Assistant Attorney General Laura Mumm and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.

Groups audience: 
Bureau of Internet and Technology (BIT)

Related articles

Sports

“We Controlled Most Of It” | John Tavares After Win Over Las Vegas | Buffalo Bandits

Buffalo Bandits head coach John Tavares spoke...
Read more
Fact Check

Trump Waters Down Colorado’s Population Trend

In criticizing Colorado Gov. Jared Polis and vetoing a...
Read more
National News

MAGA Podcasters ABANDON Trump and ATTACK EACH OTHER

MeidasTouch host Ben Meiselas reports on the...
Read more
Sports

Greg Cosell: Bills-Jaguars Playoff Preview – “I Think The Pass Game Is Going To Be A Factor”

NFL Films senior producer Greg Cosell joined...
Read more
National News

This Trumpist threat proved itself a danger — now it’s forming again



By Alexander Lowie, Postdoctoral associate in Classical and Civic Education, University of Florida

Stewart Rhodes, the founder of the Oath Keepers, a far-right militia, announced in November 2025 that he will relaunch the group after it disbanded following his prison sentence in 2023.

Rhodes was sentenced to 18 years in prison for seditious conspiracy and other crimes committed during the U.S. Capitol riot on Jan. 6, 2021.

In January 2025, President Donald Trump granted clemency to the over 1,500 defendants convicted of crimes connected to the storming of the Capitol.

Trump did not pardon Rhodes — or some others found guilty of the most serious crimes on Jan. 6. He instead commuted Rhodes’ sentence to time served. Commutation only reduces the punishment for a crime, whereas a full pardon erases a conviction.

As a political anthropologist I study the Patriot movement, a collection of anti-government right-wing groups that include the Proud Boys, Oath Keepers and Moms for Liberty. I specialize in alt-right beliefs, and I have interviewed people active in groups that participated in the Capitol riot.

Rhodes’ plans to relaunch the Oath Keepers, largely composed of current and former military veterans and law enforcement officers, is important because it will serve as an outlet for those who have felt lost since his imprisonment. The group claimed it had more than 40,000 dues-paying members at the height of its membership during Barack Obama’s presidency. I believe that many of these people will return to the group, empowered by the lack of any substantial punishment resulting from the pardons for crimes committed on Jan. 6.

In my interviews, I’ve found that military veterans are treated as privileged members of the Patriot movement. They are honored for their service and military training. And that’s why I believe many former Oath Keepers will rejoin the group – they are considered integral members.

Their oaths to serving the Constitution and the people of the United States are treated as sacred, binding members to an ideology that leads to action. This action includes supporting people in conflicts against federal agencies, organizing citizen-led disaster relief efforts, and protesting election results like on Jan. 6. The members’ strength results from their shared oath and the reverence they feel toward keeping it.

Who are the Oath Keepers?

Rhodes joined the Army after high school and served for three years before being honorably discharged after a parachuting accident in 1986. He then attended the University of Nevada and later graduated from Yale Law School in 2004. He founded the Oath Keepers in 2009.

Oath Keepers takes its name from the U.S military Oath of Enlistment, which states:

“I do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States …”

Informed by his law background, Rhodes places a particular emphasis on the part of the oath that states they will defend the Constitution against all enemies, foreign and domestic.

He developed a legal theory that justifies ignoring what he refers to as “unlawful orders” after witnessing the aftermath of Hurricane Katrina. Following the natural disaster, local law enforcement was assigned the task of confiscating guns, many of which officers say were stolen or found in abandoned homes.

Rhodes was alarmed, believing that the Second Amendment rights of citizens were being violated. Because of this, he argued that people who had military or law enforcement backgrounds had a legal duty to refuse what the group considers unlawful orders, including any that violated constitutionally protected rights, such as the right to bear arms.

In the Oath Keepers’ philosophy, anyone who violates these rights are domestic enemies to the Constitution. And if you follow the orders, you’ve violated your oath.

Explaining the origin of the group on the right-wing website The Gateway Pundit in November 2025, Rhodes said: “We were attacked out of the gate, labeled anti-government, which is absurd because we’re defending the Constitution that established the federal government. We were labeled anti-government extremists, all kinds of nonsense because the elites want blind obedience in the police and military.”

Rebuilding and restructuring

In 2022, the nonprofit whistleblower site Distributed Denial of Secrets leaked more than 38,000 names on the Oath Keepers’ membership list.

The Anti-Defamation League estimated that nearly 400 were active law enforcement officers, and that more than 100 were serving in the military. Some of these members were investigated by their workplaces but never disciplined for their involvement with the group.

Some members who were not military or law enforcement did lose their jobs over their affiliation. But they held government-related positions, such as a Wisconsin alderman who resigned after he was identified as a member.

This breach of privacy, paired with the dissolution of the organization after Rhodes’ sentencing, will help shape the group going forward.

In his interview with The Gateway Pundit, where he announced the group’s relaunch, Rhodes said: “I want to make it clear, like I said, my goal would be to make it more cancel-proof than before. We’ll have resilient, redundant IT that makes it really difficult to take down … And I want to make sure I get – put people in charge and leadership everywhere in the country so that, you know, down the road, if I’m taken out again, that it can still live on under good leadership without me being there.”

There was a similar shift in organizational structure with the Proud Boys in 2018. That’s when their founder, Gavin McInnes, stepped away from the organization. His departure came after a group of Proud Boys members were involved in a fight with anti-fascists in New York.

Prosecutors wanted to try the group as a gang. McInnes, therefore, distanced himself to support their defense that they weren’t in a gang or criminal organization. Ultimately, two of the members were sentenced to four years in prison for attempted gang assault charges.

Some Proud Boys members have told me they have since focused on creating local chapters, with in-person recruitment, that communicate on private messaging apps. They aim to protect themselves from legal classification as a gang. It also makes it harder for investigators or activist journalists to monitor them.

This is referred to as a cell style of organization, which is popular with insurgency groups. These groups are organized to rebel against authority and overthrow government structures. The cell organizational style does not have a robust hierarchy but instead produces smaller groups. They all adhere to the same ideology but may not be directly associated.

They may have a leader, but it’s often acknowledged that they are merely a figurehead, not someone giving direct orders. For the Proud Boys, this would be former leader Enrique Tarrio. Proud Boys members I’ve spoken to have referred to him as a “mascot” and not their leader.

Looking ahead

So what does the Rhodes interview indicate about the future of Oath Keepers?

Members will continue supporting Trump while also recruiting more retired military and law enforcement officers. They will create an organizational structure designed to outlive Rhodes. And based on my interactions with the far-right, I believe it’s likely they will create an organizational structure similar to that of the cell style for organizing.

Beyond that, they are going to try to own their IT, which includes hosting their websites and also using trusted online revenue generators.

This will likely provide added security, protecting their membership rolls while making it more difficult for law enforcement agencies to investigate them in the future.

Read more
Previous article
Monday Morning Read
Next article
Casilio’s superficial knowledge of county issues
WNYmedia Network is a user generated content & video delivery network of blogs and websites focused on Progressive Politics, Public Good, Live Music, Great Food, Good Government and Lousy Sports Teams in Buffalo and Western New York. Buffalo's largest network of Progressive journalists, bloggers, activists, politicians, content creators and other media professionals delivering live video, local news and daily social trends in Buffalo and Western New York.
Contact us: News@wnymedia.net
Facebook Instagram Mail Paypal RSS Soundcloud Twitter Vimeo Youtube
© ©2022 WNYmedia Network. All RIghts Reserved